qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] f2c8ae: hw/ufs: Fix buffer overflow bug


From: Richard Henderson
Subject: [Qemu-commits] [qemu/qemu] f2c8ae: hw/ufs: Fix buffer overflow bug
Date: Wed, 01 May 2024 06:49:58 -0700

  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: f2c8aeb1afefcda92054c448b21fc59cdd99db30
      
https://github.com/qemu/qemu/commit/f2c8aeb1afefcda92054c448b21fc59cdd99db30
  Author: Jeuk Kim <jeuk20.kim@samsung.com>
  Date:   2024-04-29 (Mon, 29 Apr 2024)

  Changed paths:
    M hw/ufs/ufs.c

  Log Message:
  -----------
  hw/ufs: Fix buffer overflow bug

It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.

You can reproduce it by:

cat << EOF |\
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000058 0x1 0xa7
write 0xa 0x1 0x50
EOF

Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>


  Commit: 50761a5a9aeaed928807229a86d619b5251598ff
      
https://github.com/qemu/qemu/commit/50761a5a9aeaed928807229a86d619b5251598ff
  Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M qga/commands-posix.c
    M qga/commands-win32.c
    M qga/qapi-schema.json

  Log Message:
  -----------
  qga: guest-get-fsinfo: add optional 'total-bytes-privileged' field

Since the commit 25b5ff1a86 ("qga: add mountpoint usage info to
GuestFilesystemInfo") we have 2 values reported in guest-get-fsinfo:
used = (f_blocks - f_bfree), total = (f_blocks - f_bfree + f_bavail) as
returned by statvfs(3).  While on Windows guests that's all we can get
with GetDiskFreeSpaceExA(), on POSIX guests we might also be interested in
total file system size, as it's visible for root user.  Let's add an
optional field 'total-bytes-privileged' to GuestFilesystemInfo struct,
which'd only be reported on POSIX and represent f_blocks value as returned
by statvfs(3).

While here, also tweak the docs to reflect better where those values
come from.

Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: 
https://lore.kernel.org/r/20240320161648.158226-2-andrey.drobyshev@virtuozzo.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: c3f32c13a325f1ca9a0b08c19fefe9e5cc04289d
      
https://github.com/qemu/qemu/commit/c3f32c13a325f1ca9a0b08c19fefe9e5cc04289d
  Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M qga/commands-posix.c

  Log Message:
  -----------
  qga: introduce ga_run_command() helper for guest cmd execution

When executing guest commands in *nix environment, we repeat the same
fork/exec pattern multiple times.  Let's just separate it into a single
helper which would also be able to feed input data into the launched
process' stdin.  This way we can avoid code duplication.

To keep the history more bisectable, let's replace qmp commands
implementations one by one.  Also add G_GNUC_UNUSED attribute to the
helper and remove it in the next commit.

Originally-by: Yuri Pudgorodskiy <yur@virtuozzo.com>
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: 
https://lore.kernel.org/r/20240320161648.158226-3-andrey.drobyshev@virtuozzo.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: 123f040a6ba3530c4c427a27522d4f1ec013b4d8
      
https://github.com/qemu/qemu/commit/123f040a6ba3530c4c427a27522d4f1ec013b4d8
  Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M qga/commands-posix.c

  Log Message:
  -----------
  qga/commands-posix: qmp_guest_shutdown: use ga_run_command helper

Also remove the G_GNUC_UNUSED attribute added in the previous commit from
the helper.

Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: 
https://lore.kernel.org/r/20240320161648.158226-4-andrey.drobyshev@virtuozzo.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: 1fce82bc407dae3a7a2a7c58a8955fc3598ed25f
      
https://github.com/qemu/qemu/commit/1fce82bc407dae3a7a2a7c58a8955fc3598ed25f
  Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M qga/commands-posix.c

  Log Message:
  -----------
  qga/commands-posix: qmp_guest_set_time: use ga_run_command helper

There's no need to check for the existence of "/sbin/hwclock", the
exec() call will do that for us.

Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: 
https://lore.kernel.org/r/20240320161648.158226-5-andrey.drobyshev@virtuozzo.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: 8ef383b460826e1ab138e892559f7ed2305e049d
      
https://github.com/qemu/qemu/commit/8ef383b460826e1ab138e892559f7ed2305e049d
  Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M qga/commands-posix.c

  Log Message:
  -----------
  qga/commands-posix: execute_fsfreeze_hook: use ga_run_command helper

There's no need to check for the existence of the hook executable, as the
exec() call will do that for us.

Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: 
https://lore.kernel.org/r/20240320161648.158226-6-andrey.drobyshev@virtuozzo.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: 2048129625bdca60bc76d3b8c3ee51c08aacedc2
      
https://github.com/qemu/qemu/commit/2048129625bdca60bc76d3b8c3ee51c08aacedc2
  Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M qga/commands-posix.c

  Log Message:
  -----------
  qga/commands-posix: don't do fork()/exec() when suspending via sysfs

Since commit 246d76eba ("qga: guest_suspend: decoupling pm-utils and sys
logic") pm-utils logic is running in a separate child from the sysfs
logic.  Now when suspending via sysfs we don't really need to do that in
a separate process as we only need to perform one write to /sys/power/state.

Let's just use g_file_set_contents() to simplify things here.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: 
https://lore.kernel.org/r/20240320161648.158226-7-andrey.drobyshev@virtuozzo.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: 0e5b75a3902f2325cbdb07954e2c2ca2f7fcb9dd
      
https://github.com/qemu/qemu/commit/0e5b75a3902f2325cbdb07954e2c2ca2f7fcb9dd
  Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M qga/commands-posix.c

  Log Message:
  -----------
  qga/commands-posix: qmp_guest_set_user_password: use ga_run_command helper

There's no need to check for the existence of the "chpasswd", "pw"
executables, as the exec() call will do that for us.

Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: 
https://lore.kernel.org/r/20240320161648.158226-8-andrey.drobyshev@virtuozzo.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: 1cc9932700339042e83c6c54114734231630548c
      
https://github.com/qemu/qemu/commit/1cc9932700339042e83c6c54114734231630548c
  Author: aidaleuc <aidan_leuck@selinc.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    A qga/commands-common-ssh.c
    A qga/commands-common-ssh.h
    M qga/commands-posix-ssh.c
    M qga/meson.build

  Log Message:
  -----------
  qga: Refactor common SSH functions

Message-Id: <20240424144029.30665-2-aidan_leuck@selinc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

In preparation of a Windows implementation, move the
non-POSIX specific code to commands-common-ssh.

Signed-off-by: Aidan Leuck <aidan_leuck@selinc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Dehan Meng <demeng@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: https://lore.kernel.org/r/20240424144029.30665-2-aidan_leuck@selinc.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: 6b9296ba7a9cf7adb157c51c124ca522d2180739
      
https://github.com/qemu/qemu/commit/6b9296ba7a9cf7adb157c51c124ca522d2180739
  Author: aidaleuc <aidan_leuck@selinc.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    A qga/commands-windows-ssh.c
    A qga/commands-windows-ssh.h
    M qga/meson.build
    M qga/qapi-schema.json

  Log Message:
  -----------
  qga: Implement SSH commands for Windows

Signed-off-by: Aidan Leuck <aidan_leuck@selinc.com>
Tested-by: Dehan Meng <demeng@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Link: https://lore.kernel.org/r/20240424144029.30665-3-aidan_leuck@selinc.com
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>


  Commit: d5a8f0b200c41fe405f48c5d672c1338beab8d4c
      
https://github.com/qemu/qemu/commit/d5a8f0b200c41fe405f48c5d672c1338beab8d4c
  Author: Richard Henderson <richard.henderson@linaro.org>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    A qga/commands-common-ssh.c
    A qga/commands-common-ssh.h
    M qga/commands-posix-ssh.c
    M qga/commands-posix.c
    M qga/commands-win32.c
    A qga/commands-windows-ssh.c
    A qga/commands-windows-ssh.h
    M qga/meson.build
    M qga/qapi-schema.json

  Log Message:
  -----------
  Merge tag 'qga-pull-2024-05-01' of https://github.com/kostyanf14/qemu into 
staging

qga-pull-2024-05-01

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEwsLBCepDxjwUI+uE711egWG6hOcFAmYx8fgACgkQ711egWG6
# hOflAw//fDHAQzcrWFggn4Ly1p1QQK+AYdQPbmKCIV7j64k05kCFU+bQxbMT9Fmr
# RsWPXHv5t36ySKxaML412r7fqX19bm7RP31hlau76KtZsTJXFR/dbC6jNWXi/Qfd
# 5Z1mwK4lyW+TROPx6gA2tZddqAZsSxLlArhXGj9nUcQBXDebKD/rO4jYrRBWI7uG
# hV2mmolGbsNSzinfhujY2yVpm3SMEEc9IQ/CDd11HUsgJjAkXVxCDfKDXCmMKUAm
# 7B6VYjQpy6zjXG/eWxIp2b7HVyEEAazHizk431IwDPXpf4G8kecEVTEdQrh6tea1
# ojlfv4KhA5TuKSrhUKO+hGWeXbHfORhxryjagbwGnTd15Dq7B8SEMcubuNXJJiLJ
# G9kuqvAOrZcE/TQbdAr5Zv2vpg0Hh0ZsOrFCn+THES31oD5mgeLTwmXcguPwEyBV
# BT2Pd1UwOXumS+L065Am7PRm+i80C1J3e1dcN9+puBdNkp/kwR9RLMxDpKwEEVtI
# CMpiay4K5evFvXPAl6zFLKOYaeUiEKsxSwfj6A4ZgkuKWPb0TpIqY3vdw6TwvXI+
# lk136hcOxQ6SKJOw11wESOsWgTbqOzgevNsLlQIm3l7MSGJcQOKJwWIU7VFp4qbp
# kJnMeHtlXkkpppXMMKZsa0hXWWXM+miQNSFQhdCEW7KWAWNU5dk=
# =Q49V
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 01 May 2024 12:40:40 AM PDT
# gpg:                using RSA key C2C2C109EA43C63C1423EB84EF5D5E8161BA84E7
# gpg: Good signature from "Kostiantyn Kostiuk (Upstream PR sign) 
<kkostiuk@redhat.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: C2C2 C109 EA43 C63C 1423  EB84 EF5D 5E81 61BA 84E7

* tag 'qga-pull-2024-05-01' of https://github.com/kostyanf14/qemu:
  qga: Implement SSH commands for Windows
  qga: Refactor common SSH functions
  qga/commands-posix: qmp_guest_set_user_password: use ga_run_command helper
  qga/commands-posix: don't do fork()/exec() when suspending via sysfs
  qga/commands-posix: execute_fsfreeze_hook: use ga_run_command helper
  qga/commands-posix: qmp_guest_set_time: use ga_run_command helper
  qga/commands-posix: qmp_guest_shutdown: use ga_run_command helper
  qga: introduce ga_run_command() helper for guest cmd execution
  qga: guest-get-fsinfo: add optional 'total-bytes-privileged' field

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


  Commit: 935da8c66e12796510cf2ab2978934c273999f3b
      
https://github.com/qemu/qemu/commit/935da8c66e12796510cf2ab2978934c273999f3b
  Author: Richard Henderson <richard.henderson@linaro.org>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M hw/ufs/ufs.c

  Log Message:
  -----------
  Merge tag 'pull-ufs-20240429' of https://gitlab.com/jeuk20.kim/qemu into 
staging

ufs queue

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEUBfYMVl8eKPZB+73EuIgTA5dtgIFAmYvEScACgkQEuIgTA5d
# tgL3Qg//R3IcISQqqDaJ/ySzKGmkyohJSc6ySLYvla4Aki7PV+um2Dx/XNS7uG2b
# d3Qz4m6QaOKsocLfldRTn2FxVK238Rp5HNny5vc0kGRdwpR514B7aU0FhpT7qObS
# wbbgRdDddIBIiCFLhtXtg5/TK2h32VxGrVI6llX4gmd2VzqM0e4xeG1Oj8rZseOY
# SAgvDv68s1YwlO1p1vPvst/H+mUKYkqtPN1mjfCIn5tM6ss8kCLUnKjqGAg1BnSN
# xwaGrqqOlzQK2+aV02eiItiow8evU/h+c9eiTnBo/EvBwjoBn6flNXABWXFENnmP
# JjVIFeiNzSFhBPDzO23GXviuEt96j5lrcGYR48HYMZfEbJNpblXzWvEGMZWnXNgx
# Q3cpcarZ4vSWIflR9OnCSQaGLA0Ny6YqLbmrM/oD+v67EITafKKc+flmiF7DBASB
# fUoEsdffdA37LDtygJb7hfUhvPQWWAujmGzZ1cDP8Oa0MhT7aiD0Z/WqhhjVQbM0
# iLiCDDD0cc0pmT3vw3EnEjKjnSkY3H62Q7pnYHiQgij4Ls/Rdd/P7OkSd0aI82t0
# TooWGZJnyf8rjAzY2cEB1Twrhmhuyt9NnGxip9W8JsQBZMLabD2CahOm83zsk7jZ
# 3fOONz6XrW2ttFkLZcRd4x4YjKONjEXsSX2ZrXTZ5t3USz/VNvY=
# =Vwyi
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 28 Apr 2024 08:16:55 PM PDT
# gpg:                using RSA key 5017D831597C78A3D907EEF712E2204C0E5DB602
# gpg: Good signature from "Jeuk Kim <jeuk20.kim@samsung.com>" [unknown]
# gpg:                 aka "Jeuk Kim <jeuk20.kim@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 5017 D831 597C 78A3 D907  EEF7 12E2 204C 0E5D B602

* tag 'pull-ufs-20240429' of https://gitlab.com/jeuk20.kim/qemu:
  hw/ufs: Fix buffer overflow bug

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


Compare: https://github.com/qemu/qemu/compare/9c6c079bc672...935da8c66e12

To unsubscribe from these emails, change your notification settings at 
https://github.com/qemu/qemu/settings/notifications



reply via email to

[Prev in Thread] Current Thread [Next in Thread]